School Employees, Who Have Been Given Computer System Access Passwords, May Be Committing a Crime by Accessing Employee Email Accounts

Email is perhaps the most widely used form of business communication today because of its effectiveness. It is inexpensive, extremely fast, and can be printed or electronically stored for future reference. In school districts, email is used by administrators, teachers, students, parents, vendors, members of the community, and others to communicate information and transact business. Many of these communications are confidential as they contain personally identifiable information about students, medical information, and/or attorney-client privileged information, among types of confidential information.

Typically, school districts have one or more employees who are expressly authorized to access internal email. The nature and scope of the authorization is typically indicated in policy and/or in the person’s job description. Alternatively, however, there may be circumstances when the chief school administrator, in consultation with the board and board attorney, may grant authorization to a specific individual to access email for a specific, limited purpose.

Unfortunately, however, employees who are authorized to access email on a district’s server or on district computers may exceed the scope of their authorization. In addition, there may be employees who intentionally access other employees’ email accounts even though they have no authorization to do so. Sometimes employees access email improperly because they are seeking records they believe will be relevant to a pending legal case or in order to bring a legal claim. Other times, employees are simply curious and want to read or see information they otherwise are not allowed to read or see. Regardless of the motivation, employees who access email improperly could face criminal liability and, as discussed below, there are two divergent legal decisions for school officials to consider.1

Under New Jersey law, an employee will be guilty of computer criminal activity if s/he “purposely or knowingly and without authorization, or in excess of authorization” accesses, or attempts to access, any data on any computer or computer system, or alters, damages or destroys any such data.2 A guilty finding for computer criminal activity can be a second-, third- or fourth-degree crime depending on the circumstances, and where the crime involves a government entity, like a public school district, the sentence must include a period of imprisonment.3The guilt or innocence of an employee or former employee will likely turn on the meaning of “without authorization” or “in excess of authorization.”

In State v. Thompson,4 decided by the Law Division in 2016, two individuals who were employed by the City of East Orange Police Department (E.O.P.D.) in its Information Technology (IT) Division, were arrested and charged with computer theft and conspiracy to commit computer theft in connection with their allegedly unauthorized access of employee emails. One of the defendants, Tiffany Tucker, was employed as an IT Supervisor, and the other, Michael Thompson, was employed as an IT Technician. One of their co-workers overheard them having a conversation in which they purportedly discussed accessing department emails through the administration account. All IT personnel had an administrative login and password that allowed them to access the email system for maintenance or trouble-shooting. The co-worker reported this conversation to a police inspector and an investigation was subsequently undertaken.

It was then reported to the Essex County Prosecutor’s Office, Professional Standards and Corruption Bureau (Prosecutor’s Office) that Thompson and Tucker had engaged in computer-related misconduct. Based on a review of the E.O.P.D.’s computer system, the Prosecutor’s Office determined that, between April and July 2013, Thompson and Tucker had viewed the email contents and attachments of the E.O.P.D.’s executive staff, which included the Chief of Police, the City Administrator, the First Assistant Corporation Counsel, and the Accountant/Budget Officer, among others. During that same time period, Thompson and Tucker were plaintiffs in a lawsuit pending against the City of East Orange involving employment-related issues.

On September 26, 2013, Thompson and Tucker were arrested and charged with computer theft and conspiracy to commit computer theft. According to the complaint, Thompson and Tucker used their administrative login to read the emails of certain personnel for the purpose of getting information relating to the lawsuit they had pending. Both of them entered not guilty pleas and, subsequently, filed motions to dismiss the complaints against them for failing to state a prima facie case. The defendants argued that they could not be held criminally liable for their unauthorized access to other employees’ emails because the term “unauthorized access” under the computer crime law did not cover employees who already had password-protected access within the scope of their employment.

The Law Division judge acknowledged that there was no question that Thompson and Tucker, as employees working in the IT Division, had access to the E.O.P.D.’s email system for purposes of conducting maintenance or trouble-shooting. The issue was whether they accessed the email “knowingly and without authorization” or “in excess of authorization.” The court opined, based on the language of the statute, that there were three distinct situations in which an individual commits computer-related criminal activity: (1) purposely; (2) knowingly and without authorization; and (3) in excess of authorization that had already been granted.

In this case, the court found that the defendants used their login to access personal information beyond their purview as IT employees. Based upon a review of the legislative history, the court determined that, with respect to the phrase “in excess of authorization,” the “Legislature intended to hold individuals criminally liable who abuse the privilege of access beyond ‘the ordinary course of business.’” The court opined that, when the defendants allegedly accessed emails of other employees for their own personal reasons, they exceeded the access authorized by their employer.

A different result and conclusion was reached by another Law Division judge in 2009 in State v. Riley.5In Riley, a police sergeant accessed a mobile video recording database with a password provided by his police department, but did so in violation of departmental regulations. The police sergeant was charged with violating the statute and filed a motion to dismiss the indictment against him. The Riley court determined that the computer crime law was not applicable to employees who already possessed password-protected computer access through their employment. It noted that, while the Legislature did not define the phrase “in excess of authorization,” the court reviewed the legislative history and concluded that the law was not intended cover computer access that is generally authorized in the ordinary course of business.

The judge in the Thompson case rejected the rationale and conclusion of the Riley case. The judge in Thompson opined that the statutory language does not support the conclusion reached by the court in Riley. The judge determined that the phrase “in excess of authorization” contemplates that an actor with existing authorization may engage in criminally culpable activity, and that allowing a defendant to escape culpability because s/he was not an outsider breaking into a computer system suggests a limit in the law that does not exist.

The court in Thompson believed that computer-related criminal activity may be committed by a person within an organization such as the E.O.P.D. The court reasoned a reasonable person should understand that s/he is not authorized to access personal emails for the purpose of using information in them for an ongoing lawsuit. The court remarked that violations of workplace policies “constitute a breach of the agreement between the employer and the employee that dictates the terms of appropriate access at work.” It stated that allowing an employee to breach such policies and to escape criminal liability would create a safe haven for violators within an organization. Therefore, the court ultimately concluded that the Prosecutor’s Office had presented a prima facie case under the statute and denied the motion to dismiss the charges.

It remains to be seen whether the Thompson court’s broad interpretation of New Jersey’s computer-related crime law will ultimately prevail over the narrow interpretation by the Riley court. Regardless of which view ultimately prevails, school officials should review the job descriptions of key central office personnel and IT personnel to determine the appropriateness of the nature and scope of computer access that is granted thereunder. The job descriptions should be updated accordingly to address any conditions, limitations, or restrictions on such access. In addition, any board policies regarding computer system access should be reviewed and revised as necessary to address specific issues and concerns. Lastly, whenever school administrators become aware that an employee has improperly accessed district email because s/he lacks administrative authorization and/or has exceeded his/her authorization, the board attorney should be contacted to discuss disciplinary action and making a criminal complaint to the county prosecutor.